{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2025:NPILMHGNLR4YECWX5RQEMJGKTF","short_pith_number":"pith:NPILMHGN","schema_version":"1.0","canonical_sha256":"6bd0b61ccd5c79820ad7ec604624ca9959357cc65f4aed4e57e927f45618fab1","source":{"kind":"arxiv","id":"2505.05897","version":2},"attestation_state":"computed","paper":{"title":"How Reliable Are FOSS Popularity Metrics? Analyzing the Effort Required for Spoofing Common Software Popularity Metrics","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Ben Swierzy, Marc Ohm, Michael Meier, Timo Pohl","submitted_at":"2025-05-09T09:05:38Z","abstract_excerpt":"Quantitative metrics derived from software repositories and package ecosystems are widely used to assess the impact, popularity, maintenance, and criticality of free and open source software (FOSS) projects. However, these metrics are often assumed to be reliable despite their potential susceptibility to manipulation. Prior empirical software engineering and security research deployed these in a variety of ways which assume they indeed capture project impact and popularity. Yet, the extent to which these underlying signals can be spoofed in practice, and the consequences this has for downstrea"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2505.05897","kind":"arxiv","version":2},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-05-09T09:05:38Z","cross_cats_sorted":["cs.SE"],"title_canon_sha256":"f91275261a14fc3f8854cb7f67f5a3b46cb442816d9debbc9937524185a8a37f","abstract_canon_sha256":"23a9ebc6d828fd39d3ae2677a853811297d8865e2e509ee7b1dc3b14f9a1aa88"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-21T01:04:13.895747Z","signature_b64":"KCV/ZGneVNvluhuH2Ct/cJcpphJrcNXzPqa4BOZTsNtNyfUUiPDZ6/cduIz5V04QFfxtRUPJ0IpWsYt5HlI/AQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"6bd0b61ccd5c79820ad7ec604624ca9959357cc65f4aed4e57e927f45618fab1","last_reissued_at":"2026-05-21T01:04:13.895087Z","signature_status":"signed_v1","first_computed_at":"2026-05-21T01:04:13.895087Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"How Reliable Are FOSS Popularity Metrics? Analyzing the Effort Required for Spoofing Common Software Popularity Metrics","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Ben Swierzy, Marc Ohm, Michael Meier, Timo Pohl","submitted_at":"2025-05-09T09:05:38Z","abstract_excerpt":"Quantitative metrics derived from software repositories and package ecosystems are widely used to assess the impact, popularity, maintenance, and criticality of free and open source software (FOSS) projects. However, these metrics are often assumed to be reliable despite their potential susceptibility to manipulation. Prior empirical software engineering and security research deployed these in a variety of ways which assume they indeed capture project impact and popularity. Yet, the extent to which these underlying signals can be spoofed in practice, and the consequences this has for downstrea"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2505.05897","kind":"arxiv","version":2},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2505.05897/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2505.05897","created_at":"2026-05-21T01:04:13.895167+00:00"},{"alias_kind":"arxiv_version","alias_value":"2505.05897v2","created_at":"2026-05-21T01:04:13.895167+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2505.05897","created_at":"2026-05-21T01:04:13.895167+00:00"},{"alias_kind":"pith_short_12","alias_value":"NPILMHGNLR4Y","created_at":"2026-05-21T01:04:13.895167+00:00"},{"alias_kind":"pith_short_16","alias_value":"NPILMHGNLR4YECWX","created_at":"2026-05-21T01:04:13.895167+00:00"},{"alias_kind":"pith_short_8","alias_value":"NPILMHGN","created_at":"2026-05-21T01:04:13.895167+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/NPILMHGNLR4YECWX5RQEMJGKTF","json":"https://pith.science/pith/NPILMHGNLR4YECWX5RQEMJGKTF.json","graph_json":"https://pith.science/api/pith-number/NPILMHGNLR4YECWX5RQEMJGKTF/graph.json","events_json":"https://pith.science/api/pith-number/NPILMHGNLR4YECWX5RQEMJGKTF/events.json","paper":"https://pith.science/paper/NPILMHGN"},"agent_actions":{"view_html":"https://pith.science/pith/NPILMHGNLR4YECWX5RQEMJGKTF","download_json":"https://pith.science/pith/NPILMHGNLR4YECWX5RQEMJGKTF.json","view_paper":"https://pith.science/paper/NPILMHGN","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2505.05897&json=true","fetch_graph":"https://pith.science/api/pith-number/NPILMHGNLR4YECWX5RQEMJGKTF/graph.json","fetch_events":"https://pith.science/api/pith-number/NPILMHGNLR4YECWX5RQEMJGKTF/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/NPILMHGNLR4YECWX5RQEMJGKTF/action/timestamp_anchor","attest_storage":"https://pith.science/pith/NPILMHGNLR4YECWX5RQEMJGKTF/action/storage_attestation","attest_author":"https://pith.science/pith/NPILMHGNLR4YECWX5RQEMJGKTF/action/author_attestation","sign_citation":"https://pith.science/pith/NPILMHGNLR4YECWX5RQEMJGKTF/action/citation_signature","submit_replication":"https://pith.science/pith/NPILMHGNLR4YECWX5RQEMJGKTF/action/replication_record"}},"created_at":"2026-05-21T01:04:13.895167+00:00","updated_at":"2026-05-21T01:04:13.895167+00:00"}